1 // SPDX-License-Identifier: GPL-2.0-only
3 * Landlock LSM - Network management and hooks
5 * Copyright © 2022-2023 Huawei Tech. Co., Ltd.
6 * Copyright © 2022-2023 Microsoft Corporation
10 #include <linux/net.h>
11 #include <linux/socket.h>
20 int landlock_append_net_rule(struct landlock_ruleset *const ruleset,
21 const u16 port, access_mask_t access_rights)
24 const struct landlock_id id = {
25 .key.data = (__force uintptr_t)htons(port),
26 .type = LANDLOCK_KEY_NET_PORT,
29 BUILD_BUG_ON(sizeof(port) > sizeof(id.key.data));
31 /* Transforms relative access rights to absolute ones. */
32 access_rights |= LANDLOCK_MASK_ACCESS_NET &
33 ~landlock_get_net_access_mask(ruleset, 0);
35 mutex_lock(&ruleset->lock);
36 err = landlock_insert_rule(ruleset, id, access_rights);
37 mutex_unlock(&ruleset->lock);
43 get_raw_handled_net_accesses(const struct landlock_ruleset *const domain)
45 access_mask_t access_dom = 0;
48 for (layer_level = 0; layer_level < domain->num_layers; layer_level++)
49 access_dom |= landlock_get_net_access_mask(domain, layer_level);
53 static const struct landlock_ruleset *get_current_net_domain(void)
55 const struct landlock_ruleset *const dom =
56 landlock_get_current_domain();
58 if (!dom || !get_raw_handled_net_accesses(dom))
64 static int current_check_access_socket(struct socket *const sock,
65 struct sockaddr *const address,
67 const access_mask_t access_request)
70 layer_mask_t layer_masks[LANDLOCK_NUM_ACCESS_NET] = {};
71 const struct landlock_rule *rule;
72 access_mask_t handled_access;
73 struct landlock_id id = {
74 .type = LANDLOCK_KEY_NET_PORT,
76 const struct landlock_ruleset *const dom = get_current_net_domain();
80 if (WARN_ON_ONCE(dom->num_layers < 1))
83 /* Checks if it's a (potential) TCP socket. */
84 if (sock->type != SOCK_STREAM)
87 /* Checks for minimal header length to safely read sa_family. */
88 if (addrlen < offsetofend(typeof(*address), sa_family))
91 switch (address->sa_family) {
94 if (addrlen < sizeof(struct sockaddr_in))
96 port = ((struct sockaddr_in *)address)->sin_port;
99 #if IS_ENABLED(CONFIG_IPV6)
101 if (addrlen < SIN6_LEN_RFC2133)
103 port = ((struct sockaddr_in6 *)address)->sin6_port;
105 #endif /* IS_ENABLED(CONFIG_IPV6) */
111 /* Specific AF_UNSPEC handling. */
112 if (address->sa_family == AF_UNSPEC) {
114 * Connecting to an address with AF_UNSPEC dissolves the TCP
115 * association, which have the same effect as closing the
116 * connection while retaining the socket object (i.e., the file
117 * descriptor). As for dropping privileges, closing
118 * connections is always allowed.
120 * For a TCP access control system, this request is legitimate.
121 * Let the network stack handle potential inconsistencies and
122 * return -EINVAL if needed.
124 if (access_request == LANDLOCK_ACCESS_NET_CONNECT_TCP)
128 * For compatibility reason, accept AF_UNSPEC for bind
129 * accesses (mapped to AF_INET) only if the address is
130 * INADDR_ANY (cf. __inet_bind). Checking the address is
131 * required to not wrongfully return -EACCES instead of
134 * We could return 0 and let the network stack handle these
135 * checks, but it is safer to return a proper error and test
136 * consistency thanks to kselftest.
138 if (access_request == LANDLOCK_ACCESS_NET_BIND_TCP) {
139 /* addrlen has already been checked for AF_UNSPEC. */
140 const struct sockaddr_in *const sockaddr =
141 (struct sockaddr_in *)address;
143 if (sock->sk->__sk_common.skc_family != AF_INET)
146 if (sockaddr->sin_addr.s_addr != htonl(INADDR_ANY))
147 return -EAFNOSUPPORT;
151 * Checks sa_family consistency to not wrongfully return
152 * -EACCES instead of -EINVAL. Valid sa_family changes are
153 * only (from AF_INET or AF_INET6) to AF_UNSPEC.
155 * We could return 0 and let the network stack handle this
156 * check, but it is safer to return a proper error and test
157 * consistency thanks to kselftest.
159 if (address->sa_family != sock->sk->__sk_common.skc_family)
163 id.key.data = (__force uintptr_t)port;
164 BUILD_BUG_ON(sizeof(port) > sizeof(id.key.data));
166 rule = landlock_find_rule(dom, id);
167 handled_access = landlock_init_layer_masks(
168 dom, access_request, &layer_masks, LANDLOCK_KEY_NET_PORT);
169 if (landlock_unmask_layers(rule, handled_access, &layer_masks,
170 ARRAY_SIZE(layer_masks)))
176 static int hook_socket_bind(struct socket *const sock,
177 struct sockaddr *const address, const int addrlen)
179 return current_check_access_socket(sock, address, addrlen,
180 LANDLOCK_ACCESS_NET_BIND_TCP);
183 static int hook_socket_connect(struct socket *const sock,
184 struct sockaddr *const address,
187 return current_check_access_socket(sock, address, addrlen,
188 LANDLOCK_ACCESS_NET_CONNECT_TCP);
191 static struct security_hook_list landlock_hooks[] __ro_after_init = {
192 LSM_HOOK_INIT(socket_bind, hook_socket_bind),
193 LSM_HOOK_INIT(socket_connect, hook_socket_connect),
196 __init void landlock_add_net_hooks(void)
198 security_add_hooks(landlock_hooks, ARRAY_SIZE(landlock_hooks),